/*
 * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved.
 * ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
 *
 *
 *
 *
 *
 *
 *
 *
 *
 *
 *
 *
 *
 *
 *
 *
 *
 *
 *
 *
 */

package java.security;

import java.util.*;
import java.util.regex.*;

import java.security.Provider.Service;

import sun.security.jca.*;
import sun.security.jca.GetInstance.Instance;
import sun.security.util.Debug;

/**
 * This class provides a cryptographically strong random number
 * generator (RNG).
 *
 * <p>A cryptographically strong random number
 * minimally complies with the statistical random number generator tests
 * specified in <a href="http://csrc.nist.gov/cryptval/140-2.htm">
 * <i>FIPS 140-2, Security Requirements for Cryptographic Modules</i></a>,
 * section 4.9.1.
 * Additionally, SecureRandom must produce non-deterministic output.
 * Therefore any seed material passed to a SecureRandom object must be
 * unpredictable, and all SecureRandom output sequences must be
 * cryptographically strong, as described in
 * <a href="http://www.ietf.org/rfc/rfc1750.txt">
 * <i>RFC 1750: Randomness Recommendations for Security</i></a>.
 *
 * <p>A caller obtains a SecureRandom instance via the
 * no-argument constructor or one of the {@code getInstance} methods:
 *
 * <pre>
 *      SecureRandom random = new SecureRandom();
 * </pre>
 *
 * <p> Many SecureRandom implementations are in the form of a pseudo-random
 * number generator (PRNG), which means they use a deterministic algorithm
 * to produce a pseudo-random sequence from a true random seed.
 * Other implementations may produce true random numbers,
 * and yet others may use a combination of both techniques.
 *
 * <p> Typical callers of SecureRandom invoke the following methods
 * to retrieve random bytes:
 *
 * <pre>
 *      SecureRandom random = new SecureRandom();
 *      byte bytes[] = new byte[20];
 *      random.nextBytes(bytes);
 * </pre>
 *
 * <p> Callers may also invoke the {@code generateSeed} method
 * to generate a given number of seed bytes (to seed other random number
 * generators, for example):
 * <pre>
 *      byte seed[] = random.generateSeed(20);
 * </pre>
 *
 * Note: Depending on the implementation, the {@code generateSeed} and
 * {@code nextBytes} methods may block as entropy is being gathered,
 * for example, if they need to read from /dev/random on various Unix-like
 * operating systems.
 *
 * @author Benjamin Renaud
 * @author Josh Bloch
 * @see java.security.SecureRandomSpi
 * @see java.util.Random
 */

public class SecureRandom extends java.util.Random {

  private static final Debug pdebug =
      Debug.getInstance("provider", "Provider");
  private static final boolean skipDebug =
      Debug.isOn("engine=") && !Debug.isOn("securerandom");

  /**
   * The provider.
   *
   * @serial
   * @since 1.2
   */
  private Provider provider = null;

  /**
   * The provider implementation.
   *
   * @serial
   * @since 1.2
   */
  private SecureRandomSpi secureRandomSpi = null;

  /*
   * The algorithm name of null if unknown.
   *
   * @serial
   * @since 1.5
   */
  private String algorithm;

  // Seed Generator
  private static volatile SecureRandom seedGenerator = null;

  /**
   * Constructs a secure random number generator (RNG) implementing the
   * default random number algorithm.
   *
   * <p> This constructor traverses the list of registered security Providers,
   * starting with the most preferred Provider.
   * A new SecureRandom object encapsulating the
   * SecureRandomSpi implementation from the first
   * Provider that supports a SecureRandom (RNG) algorithm is returned.
   * If none of the Providers support a RNG algorithm,
   * then an implementation-specific default is returned.
   *
   * <p> Note that the list of registered providers may be retrieved via
   * the {@link Security#getProviders() Security.getProviders()} method.
   *
   * <p> See the SecureRandom section in the <a href=
   * "{@docRoot}/../technotes/guides/security/StandardNames.html#SecureRandom">
   * Java Cryptography Architecture Standard Algorithm Name Documentation</a>
   * for information about standard RNG algorithm names.
   *
   * <p> The returned SecureRandom object has not been seeded.  To seed the
   * returned object, call the {@code setSeed} method.
   * If {@code setSeed} is not called, the first call to
   * {@code nextBytes} will force the SecureRandom object to seed itself.
   * This self-seeding will not occur if {@code setSeed} was
   * previously called.
   */
  public SecureRandom() {
        /*
         * This call to our superclass constructor will result in a call
         * to our own {@code setSeed} method, which will return
         * immediately when it is passed zero.
         */
    super(0);
    getDefaultPRNG(false, null);
  }

  /**
   * Constructs a secure random number generator (RNG) implementing the
   * default random number algorithm.
   * The SecureRandom instance is seeded with the specified seed bytes.
   *
   * <p> This constructor traverses the list of registered security Providers,
   * starting with the most preferred Provider.
   * A new SecureRandom object encapsulating the
   * SecureRandomSpi implementation from the first
   * Provider that supports a SecureRandom (RNG) algorithm is returned.
   * If none of the Providers support a RNG algorithm,
   * then an implementation-specific default is returned.
   *
   * <p> Note that the list of registered providers may be retrieved via
   * the {@link Security#getProviders() Security.getProviders()} method.
   *
   * <p> See the SecureRandom section in the <a href=
   * "{@docRoot}/../technotes/guides/security/StandardNames.html#SecureRandom">
   * Java Cryptography Architecture Standard Algorithm Name Documentation</a>
   * for information about standard RNG algorithm names.
   *
   * @param seed the seed.
   */
  public SecureRandom(byte seed[]) {
    super(0);
    getDefaultPRNG(true, seed);
  }

  private void getDefaultPRNG(boolean setSeed, byte[] seed) {
    String prng = getPrngAlgorithm();
    if (prng == null) {
      // bummer, get the SUN implementation
      prng = "SHA1PRNG";
      this.secureRandomSpi = new sun.security.provider.SecureRandom();
      this.provider = Providers.getSunProvider();
      if (setSeed) {
        this.secureRandomSpi.engineSetSeed(seed);
      }
    } else {
      try {
        SecureRandom random = SecureRandom.getInstance(prng);
        this.secureRandomSpi = random.getSecureRandomSpi();
        this.provider = random.getProvider();
        if (setSeed) {
          this.secureRandomSpi.engineSetSeed(seed);
        }
      } catch (NoSuchAlgorithmException nsae) {
        // never happens, because we made sure the algorithm exists
        throw new RuntimeException(nsae);
      }
    }
    // JDK 1.1 based implementations subclass SecureRandom instead of
    // SecureRandomSpi. They will also go through this code path because
    // they must call a SecureRandom constructor as it is their superclass.
    // If we are dealing with such an implementation, do not set the
    // algorithm value as it would be inaccurate.
    if (getClass() == SecureRandom.class) {
      this.algorithm = prng;
    }
  }

  /**
   * Creates a SecureRandom object.
   *
   * @param secureRandomSpi the SecureRandom implementation.
   * @param provider the provider.
   */
  protected SecureRandom(SecureRandomSpi secureRandomSpi,
      Provider provider) {
    this(secureRandomSpi, provider, null);
  }

  private SecureRandom(SecureRandomSpi secureRandomSpi, Provider provider,
      String algorithm) {
    super(0);
    this.secureRandomSpi = secureRandomSpi;
    this.provider = provider;
    this.algorithm = algorithm;

    if (!skipDebug && pdebug != null) {
      pdebug.println("SecureRandom." + algorithm +
          " algorithm from: " + this.provider.getName());
    }
  }

  /**
   * Returns a SecureRandom object that implements the specified
   * Random Number Generator (RNG) algorithm.
   *
   * <p> This method traverses the list of registered security Providers,
   * starting with the most preferred Provider.
   * A new SecureRandom object encapsulating the
   * SecureRandomSpi implementation from the first
   * Provider that supports the specified algorithm is returned.
   *
   * <p> Note that the list of registered providers may be retrieved via
   * the {@link Security#getProviders() Security.getProviders()} method.
   *
   * <p> The returned SecureRandom object has not been seeded.  To seed the
   * returned object, call the {@code setSeed} method.
   * If {@code setSeed} is not called, the first call to
   * {@code nextBytes} will force the SecureRandom object to seed itself.
   * This self-seeding will not occur if {@code setSeed} was
   * previously called.
   *
   * @param algorithm the name of the RNG algorithm. See the SecureRandom section in the <a href=
   * "{@docRoot}/../technotes/guides/security/StandardNames.html#SecureRandom"> Java Cryptography
   * Architecture Standard Algorithm Name Documentation</a> for information about standard RNG
   * algorithm names.
   * @return the new SecureRandom object.
   * @throws NoSuchAlgorithmException if no Provider supports a SecureRandomSpi implementation for
   * the specified algorithm.
   * @see Provider
   * @since 1.2
   */
  public static SecureRandom getInstance(String algorithm)
      throws NoSuchAlgorithmException {
    Instance instance = GetInstance.getInstance("SecureRandom",
        SecureRandomSpi.class, algorithm);
    return new SecureRandom((SecureRandomSpi) instance.impl,
        instance.provider, algorithm);
  }

  /**
   * Returns a SecureRandom object that implements the specified
   * Random Number Generator (RNG) algorithm.
   *
   * <p> A new SecureRandom object encapsulating the
   * SecureRandomSpi implementation from the specified provider
   * is returned.  The specified provider must be registered
   * in the security provider list.
   *
   * <p> Note that the list of registered providers may be retrieved via
   * the {@link Security#getProviders() Security.getProviders()} method.
   *
   * <p> The returned SecureRandom object has not been seeded.  To seed the
   * returned object, call the {@code setSeed} method.
   * If {@code setSeed} is not called, the first call to
   * {@code nextBytes} will force the SecureRandom object to seed itself.
   * This self-seeding will not occur if {@code setSeed} was
   * previously called.
   *
   * @param algorithm the name of the RNG algorithm. See the SecureRandom section in the <a href=
   * "{@docRoot}/../technotes/guides/security/StandardNames.html#SecureRandom"> Java Cryptography
   * Architecture Standard Algorithm Name Documentation</a> for information about standard RNG
   * algorithm names.
   * @param provider the name of the provider.
   * @return the new SecureRandom object.
   * @throws NoSuchAlgorithmException if a SecureRandomSpi implementation for the specified
   * algorithm is not available from the specified provider.
   * @throws NoSuchProviderException if the specified provider is not registered in the security
   * provider list.
   * @throws IllegalArgumentException if the provider name is null or empty.
   * @see Provider
   * @since 1.2
   */
  public static SecureRandom getInstance(String algorithm, String provider)
      throws NoSuchAlgorithmException, NoSuchProviderException {
    Instance instance = GetInstance.getInstance("SecureRandom",
        SecureRandomSpi.class, algorithm, provider);
    return new SecureRandom((SecureRandomSpi) instance.impl,
        instance.provider, algorithm);
  }

  /**
   * Returns a SecureRandom object that implements the specified
   * Random Number Generator (RNG) algorithm.
   *
   * <p> A new SecureRandom object encapsulating the
   * SecureRandomSpi implementation from the specified Provider
   * object is returned.  Note that the specified Provider object
   * does not have to be registered in the provider list.
   *
   * <p> The returned SecureRandom object has not been seeded.  To seed the
   * returned object, call the {@code setSeed} method.
   * If {@code setSeed} is not called, the first call to
   * {@code nextBytes} will force the SecureRandom object to seed itself.
   * This self-seeding will not occur if {@code setSeed} was
   * previously called.
   *
   * @param algorithm the name of the RNG algorithm. See the SecureRandom section in the <a href=
   * "{@docRoot}/../technotes/guides/security/StandardNames.html#SecureRandom"> Java Cryptography
   * Architecture Standard Algorithm Name Documentation</a> for information about standard RNG
   * algorithm names.
   * @param provider the provider.
   * @return the new SecureRandom object.
   * @throws NoSuchAlgorithmException if a SecureRandomSpi implementation for the specified
   * algorithm is not available from the specified Provider object.
   * @throws IllegalArgumentException if the specified provider is null.
   * @see Provider
   * @since 1.4
   */
  public static SecureRandom getInstance(String algorithm,
      Provider provider) throws NoSuchAlgorithmException {
    Instance instance = GetInstance.getInstance("SecureRandom",
        SecureRandomSpi.class, algorithm, provider);
    return new SecureRandom((SecureRandomSpi) instance.impl,
        instance.provider, algorithm);
  }

  /**
   * Returns the SecureRandomSpi of this SecureRandom object.
   */
  SecureRandomSpi getSecureRandomSpi() {
    return secureRandomSpi;
  }

  /**
   * Returns the provider of this SecureRandom object.
   *
   * @return the provider of this SecureRandom object.
   */
  public final Provider getProvider() {
    return provider;
  }

  /**
   * Returns the name of the algorithm implemented by this SecureRandom
   * object.
   *
   * @return the name of the algorithm or {@code unknown} if the algorithm name cannot be
   * determined.
   * @since 1.5
   */
  public String getAlgorithm() {
    return (algorithm != null) ? algorithm : "unknown";
  }

  /**
   * Reseeds this random object. The given seed supplements, rather than
   * replaces, the existing seed. Thus, repeated calls are guaranteed
   * never to reduce randomness.
   *
   * @param seed the seed.
   * @see #getSeed
   */
  synchronized public void setSeed(byte[] seed) {
    secureRandomSpi.engineSetSeed(seed);
  }

  /**
   * Reseeds this random object, using the eight bytes contained
   * in the given {@code long seed}. The given seed supplements,
   * rather than replaces, the existing seed. Thus, repeated calls
   * are guaranteed never to reduce randomness.
   *
   * <p>This method is defined for compatibility with
   * {@code java.util.Random}.
   *
   * @param seed the seed.
   * @see #getSeed
   */
  @Override
  public void setSeed(long seed) {
        /*
         * Ignore call from super constructor (as well as any other calls
         * unfortunate enough to be passing 0).  It's critical that we
         * ignore call from superclass constructor, as digest has not
         * yet been initialized at that point.
         */
    if (seed != 0) {
      secureRandomSpi.engineSetSeed(longToByteArray(seed));
    }
  }

  /**
   * Generates a user-specified number of random bytes.
   *
   * <p> If a call to {@code setSeed} had not occurred previously,
   * the first call to this method forces this SecureRandom object
   * to seed itself.  This self-seeding will not occur if
   * {@code setSeed} was previously called.
   *
   * @param bytes the array to be filled in with random bytes.
   */
  @Override
  synchronized public void nextBytes(byte[] bytes) {
    secureRandomSpi.engineNextBytes(bytes);
  }

  /**
   * Generates an integer containing the user-specified number of
   * pseudo-random bits (right justified, with leading zeros).  This
   * method overrides a {@code java.util.Random} method, and serves
   * to provide a source of random bits to all of the methods inherited
   * from that class (for example, {@code nextInt},
   * {@code nextLong}, and {@code nextFloat}).
   *
   * @param numBits number of pseudo-random bits to be generated, where {@code 0 <= numBits <= 32}.
   * @return an {@code int} containing the user-specified number of pseudo-random bits (right
   * justified, with leading zeros).
   */
  @Override
  final protected int next(int numBits) {
    int numBytes = (numBits + 7) / 8;
    byte b[] = new byte[numBytes];
    int next = 0;

    nextBytes(b);
    for (int i = 0; i < numBytes; i++) {
      next = (next << 8) + (b[i] & 0xFF);
    }

    return next >>> (numBytes * 8 - numBits);
  }

  /**
   * Returns the given number of seed bytes, computed using the seed
   * generation algorithm that this class uses to seed itself.  This
   * call may be used to seed other random number generators.
   *
   * <p>This method is only included for backwards compatibility.
   * The caller is encouraged to use one of the alternative
   * {@code getInstance} methods to obtain a SecureRandom object, and
   * then call the {@code generateSeed} method to obtain seed bytes
   * from that object.
   *
   * @param numBytes the number of seed bytes to generate.
   * @return the seed bytes.
   * @see #setSeed
   */
  public static byte[] getSeed(int numBytes) {
    if (seedGenerator == null) {
      seedGenerator = new SecureRandom();
    }
    return seedGenerator.generateSeed(numBytes);
  }

  /**
   * Returns the given number of seed bytes, computed using the seed
   * generation algorithm that this class uses to seed itself.  This
   * call may be used to seed other random number generators.
   *
   * @param numBytes the number of seed bytes to generate.
   * @return the seed bytes.
   */
  public byte[] generateSeed(int numBytes) {
    return secureRandomSpi.engineGenerateSeed(numBytes);
  }

  /**
   * Helper function to convert a long into a byte array (least significant
   * byte first).
   */
  private static byte[] longToByteArray(long l) {
    byte[] retVal = new byte[8];

    for (int i = 0; i < 8; i++) {
      retVal[i] = (byte) l;
      l >>= 8;
    }

    return retVal;
  }

  /**
   * Gets a default PRNG algorithm by looking through all registered
   * providers. Returns the first PRNG algorithm of the first provider that
   * has registered a SecureRandom implementation, or null if none of the
   * registered providers supplies a SecureRandom implementation.
   */
  private static String getPrngAlgorithm() {
    for (Provider p : Providers.getProviderList().providers()) {
      for (Service s : p.getServices()) {
        if (s.getType().equals("SecureRandom")) {
          return s.getAlgorithm();
        }
      }
    }
    return null;
  }

  /*
   * Lazily initialize since Pattern.compile() is heavy.
   * Effective Java (2nd Edition), Item 71.
   */
  private static final class StrongPatternHolder {

    /*
     * Entries are alg:prov separated by ,
     * Allow for prepended/appended whitespace between entries.
     *
     * Capture groups:
     *     1 - alg
     *     2 - :prov (optional)
     *     3 - prov (optional)
     *     4 - ,nextEntry (optional)
     *     5 - nextEntry (optional)
     */
    private static Pattern pattern =
        Pattern.compile(
            "\\s*([\\S&&[^:,]]*)(\\:([\\S&&[^,]]*))?\\s*(\\,(.*))?");
  }

  /**
   * Returns a {@code SecureRandom} object that was selected by using
   * the algorithms/providers specified in the {@code
   * securerandom.strongAlgorithms} {@link Security} property.
   * <p>
   * Some situations require strong random values, such as when
   * creating high-value/long-lived secrets like RSA public/private
   * keys.  To help guide applications in selecting a suitable strong
   * {@code SecureRandom} implementation, Java distributions
   * include a list of known strong {@code SecureRandom}
   * implementations in the {@code securerandom.strongAlgorithms}
   * Security property.
   * <p>
   * Every implementation of the Java platform is required to
   * support at least one strong {@code SecureRandom} implementation.
   *
   * @return a strong {@code SecureRandom} implementation as indicated by the {@code
   * securerandom.strongAlgorithms} Security property
   * @throws NoSuchAlgorithmException if no algorithm is available
   * @see Security#getProperty(String)
   * @since 1.8
   */
  public static SecureRandom getInstanceStrong()
      throws NoSuchAlgorithmException {

    String property = AccessController.doPrivileged(
        new PrivilegedAction<String>() {
          @Override
          public String run() {
            return Security.getProperty(
                "securerandom.strongAlgorithms");
          }
        });

    if ((property == null) || (property.length() == 0)) {
      throw new NoSuchAlgorithmException(
          "Null/empty securerandom.strongAlgorithms Security Property");
    }

    String remainder = property;
    while (remainder != null) {
      Matcher m;
      if ((m = StrongPatternHolder.pattern.matcher(
          remainder)).matches()) {

        String alg = m.group(1);
        String prov = m.group(3);

        try {
          if (prov == null) {
            return SecureRandom.getInstance(alg);
          } else {
            return SecureRandom.getInstance(alg, prov);
          }
        } catch (NoSuchAlgorithmException |
            NoSuchProviderException e) {
        }
        remainder = m.group(5);
      } else {
        remainder = null;
      }
    }

    throw new NoSuchAlgorithmException(
        "No strong SecureRandom impls available: " + property);
  }

  // Declare serialVersionUID to be compatible with JDK1.1
  static final long serialVersionUID = 4940670005562187L;

  // Retain unused values serialized from JDK1.1
  /**
   * @serial
   */
  private byte[] state;
  /**
   * @serial
   */
  private MessageDigest digest = null;
  /**
   * @serial We know that the MessageDigest class does not implement java.io.Serializable.  However,
   * since this field is no longer used, it will always be NULL and won't affect the serialization
   * of the SecureRandom class itself.
   */
  private byte[] randomBytes;
  /**
   * @serial
   */
  private int randomBytesUsed;
  /**
   * @serial
   */
  private long counter;
}
